-
-
Save anonymous/38c86428a3a96df054223246ec7b936b to your computer and use it in GitHub Desktop.
Patch for 73341
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 504ff0629f7ce8c0d4fc001673e6600f98b31e28 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Oct 23 21:56:35 2016 -0700 | |
Fix bug #73144 and bug #73341 - remove extra dtor | |
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c | |
index 700d609..e7cbd1f 100644 | |
--- a/ext/spl/spl_array.c | |
+++ b/ext/spl/spl_array.c | |
@@ -1812,7 +1812,7 @@ SPL_METHOD(Array, unserialize) | |
ALLOC_INIT_ZVAL(intern->array); | |
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) | |
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { | |
- zval_ptr_dtor(&intern->array); | |
+ // zval_ptr_dtor(&intern->array); | |
goto outexcept; | |
} | |
var_push_dtor(&var_hash, &intern->array); | |
diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt | |
new file mode 100644 | |
index 0000000..5542321 | |
--- /dev/null | |
+++ b/ext/standard/tests/serialize/bug73341.phpt | |
@@ -0,0 +1,24 @@ | |
+--TEST-- | |
+Bug #73144 (Use-afte-free in ArrayObject Deserialization) | |
+--FILE-- | |
+<?php | |
+try { | |
+$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0'; | |
+$obj = unserialize($token); | |
+} catch(Exception $e) { | |
+ echo $e->getMessage()."\n"; | |
+} | |
+ | |
+try { | |
+$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}'; | |
+$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; | |
+unserialize($exploit); | |
+} catch(Exception $e) { | |
+ echo $e->getMessage()."\n"; | |
+} | |
+?> | |
+--EXPECTF-- | |
+Error at offset 6 of 7 bytes | |
+ | |
+Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d | |
+Error at offset 24 of 34 bytes | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment